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Abstract. Recently, data abstraction has been studied in the context of separation logic, 
with noticeable practical successes: the developed logics have enabled clean proofs of tricky 
challenging programs, such as subject-observer patterns, and they have become the basis of 
efficient verification tools for Java (jStar), C (VeriFast) and Hoare Type Theory (Ynot). In 
this paper, we give a new semantic analysis of such logic-based approaches using Reynolds's 
relational parametricity. The core of the analysis is our lifting theorems, which give a sound 
and complete condition for when a true implication between assertions in the standard 
interpretation entails that the same implication holds in a relational interpretation. Using 
these theorems, we provide an algorithm for identifying abstraction-respecting client-side 
proofs; the proofs ensure that clients cannot distinguish two appropriately-related module 
implement at ions. 



Data abstraction is one of the key design principles for building computer software, and it 
has been the focus of active research from the early days of computer science. Recently, 
data abstraction has been studied in the context of separation logic [26j [22j [27J 12], 
with noticeable practical successes: the developed logics have enabled clean proofs of tricky 
challenging programs, such as the subject-observer pattern, and they have become the basis 
of efficient verification tools for Java (jStar [H]), C (VeriFast [IB]) and Hoare Type Theory 



In this paper, we give a new semantic analysis of these logic-based approaches using 
Reynolds's relational parametricity. Our techniques can be used to prove representation 
independence, i.e., that clients cannot distinguish between related module implementations, 
a consequence that we would expect from using data abstraction, but (as we shall see) a 
consequence that only holds for certain good clients. 
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Interface Specification 
{l<-^_}init{a} {a}nxt{6} {6}fin{l^_} 
{a}inc{a} {b}dec{b} 

Two Implementations of a Counter 

def r . -, „ def . , _ . def . 

initi = [1J :=(J nxti = skip fini = skip 

inci ^[1]:=[1] + 1 deci ^[1]:=[1]-1 

init 2 = [1]:=0 nxt 2 = f [1]:=-[1] f in 2 = [1]:=-[1] 
inc 2 ^[1] : =[1]+1 dec 2 ^[1] : =[1]+1 

Client-side Proof Attempts 

{1^_} init; {a} {1^-} init; {a} 
inc; {a} inc; {a} 

nxt; {b} nxt; {6} 

dec; {b} [1]: = [1]-1; {???} 

fin {1^_} 



Figure 1: Two-stage Counter 



Logic-based Data Abstraction. The basic idea of the logic-based approaches is that the 
private states of modules are exposed to clients only abstractly using assertion variables [71, 
also known as abstract predicates |26ipl . For concreteness, we consider a two-stage counter 
module and client programs in Figure [TJ The module realizes a counter with increment 
and decrement operations, called inc and dec. An interesting feature is that the counter 
goes through two stages in its lifetime; in the first stage, it can perform only the increment 
operation, but in the second, it can only run the decrement. The interface specification in 
the figure formalizes this intended behavior of the counter using assertion variables a and b, 
where a means that the counter is in the first stage and b that the counter is in the second. 
The triple for init says that the initialization can turn the assertion denoting heaps 

with cell 1, to the assertion variable a, which describes an abstract state where we can only 
call inc or nxt (since a is the precondition of only those operations). The abstract state a 
can be changed to b by calling nxt, says the triple for the nxt operation. In b we are allowed 
to run dec but not inc. Finally, fin can turn the abstract state b back to 1 *->•_. Note that 
by using a and b, the interface specification does not expose the private state of the module 
to the client. It reveals only partial information about the private state of the module; here 
it is whether the private state is in the first or the second stage. The flexibility afforded by 
revealing partial information is very useful in applications; see the examples mentioned in 
the references above. 

In these logic-based approaches, proof attempts for clients of a module can succeed only 
when they are given with respect to the abstract interface specification, without making 
any further assumptions on assertion variables. For instance, the proof attempt on the 
bottom left of Figure [1] is successful, whereas the bottom right one is not, because the latter 



Abstract predicates do take arguments, though. We conjecture that it is equally expressive to use an 
assertion variable for each combination of abstract predicate and concrete arguments. 
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assumes that the assertion variable b entails the allocatedness of cell 1. This is not so, even 
when the entailment holds for an actual definition of b. 

Representation Independence. In this paper, we give a condition on client-side proofs that 
ensure representation independence: take a client with a standard proof of correctness that 
satisfies this condition and two implementations of a module; if we can relate the heap-usage 
of the two modules in a way preserved by the module operations, then the client gives the 
same result with both modules. To relate the heap-usage, we need to give, for each assertion 
variable, a relation on heaps and verify that the module operations respect these relations 
— the coupling relations. 

As an example, consider the left-hand side client in Figure [TJ The proof of the specifi- 
cation 

{1h.} init; inc; nxt; dec; fin {1^-t>_} 
satisfies the forthcoming condition on client-side proofs. Also, we have two implementations 
of the counter module that the client makes use of; both use cell 1 to represent their private 
states, but in different ways — the first stores the current value of the counter, but the 
second stores the current value or its negative version, depending on whether it is in the 
first stage or the second. Accordingly, we give the two coupling relations: 

r a = f {(h 1 ,h 2 ) | ledom(/ii)ndom(/i 2 ) A/ii(l)=/i 2 (l)} 

r b = f {(h u h 2 ) | lGdom(/n)ndom(/i 2 ) A/ii(l) = -/i 2 (l)} 

It is easy to see that all module operations preserve these coupling relations. If, say, 
(h\,h 2 ) € r;,, then we have h%(l) = n and h 2 (l) = — n for some n and so (hi[l h-> 
n — 1], h 2 [l i-> — n + 1]) £ r b too; hence the decrement operations of the modules respect 
the coupling relation. By Theorem 16.11 we now get that the client specification is valid also 
in a binary reading: if we take any two heaps and run the client with one module in the 
first and with the other module in the second then we will end up with two heaps holding 
the same value in cell 1 — provided that we started out with two such. Indeed, the binary 
reading of the assertion is 

{(hi, h 2 ) | 1G domOx) n dom(/i 2 ) A h x (l) = h 2 (l)} 

which incidentally coincides with r a . 

It is worthwhile to emphasize that this is not a consequence of the standard unary 
reading of the specification of the client: due to the existentially quantified content of cell 
1, running with the one module could yield different contents of cell 1 than running with 
the other module, even if the contents are initially the same. On the other hand, it is the 
presence of this quantification that makes the binary reading worthwhile: if our client had 
a more exhaustive specification, say 

{l^O} init; inc; nxt; dec; fin {1^-0}, 

then the standard unary reading suffices for representation independence and the binary 
reading would provide no news. Often, though, the more exhaustive specification will be 
harder to prove, in particular for verification tools. 
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Interface Specification 
{l^.} 1111 ^ 1 ^- A a * b} {l^-} f in{l^>_} 



{l^.*a V * 6}badf in{l^->_} 



Two Implementations 

def def def r -, 

initi = skip fini = skip badfini = [1J:= 



1 



ae J i • f • ae J i • i i n • ae J r-i 1 

init2 = skip 11112 = skip badfin2 = [1J: 



2 



Two Client-side Proofs 




{H.Aa*i} (H.Aa*!)} 

{lH.*oVl4.*ii} 
fin badfin 



{1^-} {1^-} 



Figure 2: Good or Bad Client-side Proofs 



The Rule of Consequence and Lifting. In earlier work |10| we were able to prove such a 
representation independence result for a more restricted form of logical data abstraction, 
namely one given by frame rules rather than general assertion variables. Roughly speaking, 
frame rules use a restricted form of assertion variables that are not exposed to clients at 
all, as can be seen from some models of separation logic in which frame rules are modelled 
via quantification over semantic assertions [9]. This means that the rules do not allow the 
exposure of even partial information about module internals. (On the other hand, frame 
rules implement information hiding, because they completely relieve clients of tracking the 
private state of a module, even in an abstracted form.) Our model in [10] exploited this 
restricted use of assertion variables, and gave relational meanings to Hoare triple specifica- 
tions, which led to representation independence. 

Removing this restriction and allowing assertion variables in client proofs turned out 
to be very challenging. The challenge is the use of the rule of consequence in client-side 
proofs; this has implications between assertions (possibly containing assertion variables) as 
hypotheses, and such do not always lift, i.e., they may hold in the standard, unary reading 
of assertion whilst failing in the binary reading. In this paper, we provide a sound and, in 
a certain sense, complete answer to when the lifting can be done. 

For instance, consider the example in Figure [2] Our results let us conclude that the 
client-side proof on the left is good but the one on the right is bad; hence we expect to 
derive representation independence only from the former. The client on the left calls init 
and ends with the post-condition (Ih.Ao * b). Since (lH.Aa * b) => !.«->•_ is true in the 
standard interpretation, the rule of consequence can be applied to yield the precondition of 
fin, which can be called, ending up with the postcondition >•_). The key point here is 
the implication used in the rule of consequence. Our results imply that this implication can 
indeed be lifted to an implication between relational meanings of assertions (l^->-_Aa*&) and 
(Theorem [43] in SectionH]). They also entail that this lifting implies the representation 
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independence theorem. The coupling relations 

r a = {(hi,h 2 ) | l€dom(/ii)} 
H = f {{h,h 2 ) | l€dom(/i 2 )} 

are preserved by the modules: the relational meaning of lM-_*a V l^->-_*6 is empty; note that 
separating conjunctions binds more tightly than conjunction and disjunction. Hence the 
client on the left should give the same result for both modules and, indeed, both initi; f ini 
and init2;fin2 are the same skip command. 

The client on the right also first calls init and then uses the rule of consequence. But 
this time our results say that a true implication A a * b) ==> (1^- * a> V * b) in 

the rule of consequence does not lift to an implication between relational meanings of the 
assertions: the pair of heaps ( [1 i — >■ 0] , [1 i — >• 0] ) belong to the left hand side but possibly not 
to the right if the pair ([], [1 h > 0]) is in the interpretation of a and the pair ([1 i— > 0], []) 
is in the interpretation of b; see Example 14.91 for details. Because of this failure, the proof 
of the client does not ensure representation independence. In fact, the client can indeed 
distinguish between the two module implementations — when the client is executed with 
the first module implementation, the final heap maps address 1 to 1, but when the client is 
executed with the second, the final heap maps address 1 to 2. 

Note that we phrase the lifting only in terms of semantically true implications, without 
referring to how they are proved. By doing so, we make our results relevant to automatic 
tools that use the semantic model of separation logic to prove implications, such as the ones 
based on shallow embeddings of the assertion logic (23j fTH] . 

To sum up, the question of whether representation independence holds for a client with 
a proof comes down to whether, in the proof, the implications used in the rule of consequence 
can be lifted to a relational interpretation. In this paper, we give a sound and, in a certain 
sense, complete characterization of when that holds. 

It is appropriate to remark already here, that although we extend our assertions with 
assertion variables we also restrict them to contain neither ordinary nor separating implica- 
tion. And, in the end, we consider only a fragment of those. Details are given in Sections 2 
and 4; here we just remark that the assertions we do study are not unlike the ones consid- 
ered in the tools mentioned in the beginning of this introduction, in particular jStar. Also 
we use intuitionistic separation logic as we envision a language with garbage collection; this, 
too, is in line with the jStar tool. 

The rest of the paper is organized as follows: 
Sections [2] and [3} give the meanings of assertions, both the standard and relational 
meanings. Indeed, we give, for any n E Poslnt, the n-ary meaning of assertions as n-ary 
relations on the set of heaps. These relations are intuitionistic, i.e., they are upward 
closed relations with respect to heap extension. 
Section |4l contain the main technical contributions of the paper. We give, for assertions 
of a particular form, a sound and, in a certain sense, complete answer to the question of 
when we may lift implications between assertions from the standard, unary meaning to 
the binary meaning. 

Section [5} has the curious spinoff result that an implication between assertions holds 
for arbitrary arity if and only if it holds for reasons of parametric polymorphism in a 
particular sense. 
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Section [6j returns to the main line of development; this is where we show that a client- 
side proof yields representation independence if it uses the rule of consequence only with 
implications that lift. 

Section [3 concludes the paper. 

Proofs are found in the appendices, the main text only give details for a few examples. 



2. Semantic Domain 

In the following section we will define the meaning of an assertion to be an n-ary relation on 
heaps. To formalize this relational meaning, we need a semantic domain IRel n of relations, 
which we define and explain in this section. 

Let Heap be the set of finite partial functions from positive integers to integers (i.e., 

def 

Heap = Poslnt — Int), ranged over by f,g, h. This is a commonly used set for modelling 
heaps in separation logic, and it has a partial commutative monoid structure ([],•), where 
[] is the empty heap and the • operator combines disjoint heaps: 

[1 =? f ■ Q = P Ug if dom (/) n dom(si) = 
LJ ' 1 undefined otherwise 

The operator • induces a partial order C on Heap, modelling heap extension, by fQg iff 
g = f ■ h for some h. 

We also consider the + operator for combining possibly-overlapping but consistent 
heaps, and the — operator for subtracting one heap from another: 

def (fUg ifVJedom(/)ndom(s)./(0=<7(0 
| undefined otherwise 



f + 9 



(/-*)(*) 



d 



3/ f /(/) if l e dom(/) \ dom(g) 

] undefined otherwise 



We call an n-ary relation r C Heap™ upward closed iff (/i, . . . , f n ) £ rA(Vi. fi C gi) ==> 
(9l, •■•,9n)6r. 

Definition 2.1. IRel n is the family of upward closed n-ary relations on heaps. 

Note that IReli consists of upward closed sets of heaps, which are frequently used to 
interpret assertions in separation logic for garbage-collected languages. We call elements of 
IReli predicates and denote them by p, q. 

For every n > 1, domain IRel n has a complete lattice structure: join and meet are given 
by union and intersection, bottom is the empty relation, and top is Heap™. The domain 
also has a semantic separating conjunction connective defined by 

def 

(/i,..,/„) €r*s <=^ 3(gi, ..,g n ) G r. 3(/ii, .., h n ) £ s. 

(gi,-,9n) ■ (hi,..,h n ) = (/i,. .,/„). 

Here we use the component- wise extension of • for tuples. Intuitively, a tuple is related by 
r * s when it can be split into two disjoint tuples, one related by r and the other by s. 

def 

The domain IReli of predicates is related to IRel n for every n, by the map A n = 
^P-{(fi ■ ■ ■ ) /) I / £ pY "> where t is the upward closure on relations. Note that each 
predicate is turned into an n-ary identity relation on p modulo the upward closure. This 
map behaves well with respect to the structures discussed on IReli and IRel n , as expressed 
by the lemma below: 
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Lemma 2.2. Function A n preserves the complete lattice structure and the * operator. 

For every n > 1, the domain IRel n has further structure: it has standard, semantic 
separating implication and upwards-closed implication; as such, it is a complete BI algebra 
[8]. Unfortunately, the above lemma fails for both implications. And that lemma is the 
pivot of the upcoming results; it is the basic link between the unary and binary (and n-ary) 
readings of assertions. This is why we leave out these connectives in our assertions in the 
next section; it is a fundamental limitation in our approach. 

3. Assertions and Relational Semantics 

Let Var and AVar be disjoint sets of normal variables x, y, ... and assertion variables a, b, 
respectively. Our assertions p are from separation logic, and they conform to the following 
grammar: 

E::=x | | 1 [ E + E \ ... P ::= E ^ E \ ... 

ip ::= P | a \ p * <p | true | (p A <p | false | p V ip 
Vx. p | 3x. p 

In the grammar, E is a heap-independent expression, and P is a primitive predicate, which 
in the standard interpretation denotes an upward closed set of heaps. For instance, E^E' 
means heaps containing cell E with contents E' . The dots in the grammar indicate possible 
extensions of cases, such as multiplication for E and inductive predicates for P. We will 
use the abbreviation E^-_ for By.E^y. 

An assertion ip is given a meaning [y>]]~ E IRel n as an n-ary relation on heaps, where 
the arity n is a parameter of the interpretation. Here environment n maps normal variables 
in p to integers, and p maps assertion variables in p to n-ary relations in IRel n . When 
p does not contain any assertion variables, we often omit p and write [yjj?, because the 
meaning of p does not depend on p. We will make use of unary and binary semantics most 
places, but in Section [5] we will explore higher arities as well. 

We define the semantics of p, using the complete lattice structure and the * operator 
of the domain IRel n ; see Figure [3l Note that the relational semantics of primitive predicates 
is defined by embedding their standard meanings via A n . In fact, this embedding relation- 
ship holds for all assertions without assertion variables, because A n preserves the semantic 
structures of the domains (Lemma l2.2p : 

Lemma 3.1. For all p and r],p,p', if A n (p(a)) = p'{a) for every a € AVar, we have that 

An([< p ) = [< p ,. 

We write p \= n ip to mean that [</?]^p Q IMJ^p holds for all environments r/,p. If 
n=l, this reduces to the standard semantics of assertions in separation logic. We will use 
the phrase "<p ==^ ip is n-ary valid" to mean that p> \= n ip holds. In addition, we write 
p \=™ ip for a fixed ij to mean that [v?]^p C [V^p holds for all environments p; we say that 
ll p ip is n-ary 77-valid" if this is true. 

4. Lifting Theorems and Completeness 

We call an assertion p simple if it is of the form (Vi=i A/=i * a (*j))' wriere a (i,j) i s a 
vector of assertion variables and pij is an assertion not containing any assertion variables. 
We will consider the question of lifting an implication between simple assertions ip, ip to a 
binary relational interpretation: when does tp |= 1 ip imply that p \= 2 ip! 
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MIp = P(a) Vp a m P d = f mi p n Wi P 

[true]", = f Heap" {<p V ^ p = f [y,]» p U M« p 

[false]« p ^ [Vz.< iP ^ n„elntM^^] lP 

[Eb.<„ d = f U.elntM^],, 

where (\P\) V is the standard semantics of P as an upward closed set of heaps, which 

satisfies: 

^F\) v = {/ | {Ej v G dom(/) A f(lE} v ) = [F],}. 



Figure 3: Interpretation of Assertions 



The simple assertions are a fragment of the assertions considered in the above section: 
simple assertions are not, in general, closed under separating conjunction as the latter does 
not distribute over conjunction, nor are quantified simple assertions necessarily simple. The 
divide, however, between simple and non-simple assertions is not deep. The forthcoming 
completeness result is intimately connected to the form of the assertions, but it is very 
possible that the basic ideas from lifting could be applied to a larger fragment. We have not 
considered that to any extent, however. It is worth mentioning that all assertions considered 
in Section 1 are simple. On the other hand, for assertions <pi, <f>2 and <ps with no assertion 
variables and assertion variables a\,a2 and 03, we do not, in general, have simplicity of an 
assertion like 

[(ifi * 01) A (ip 2 * a 2 )} * [(f 3 * a 3 ] . 
It should be noted, that simple assertions include most of the important aspects of the 
fragments of separation logic used by automatic program analysis tools. For instance, if we 
ignore so called primed variables (which correspond to existentially-quantified variables), the 
original Spacelnvader uses separation-logic formulas of the form \/ i=1 (Pi t i * ... * f^fcj [13] . 
and its most recent extension for handling a particular class of graph-like data structures 
uses f\j =i Vi=i * • • • * Pi,j,ki j ) PS] ■ Note that in both cases, either formulas are already 
simple or they can be easily transformed to equivalent simple formulas. The assertions used 
by the jStar tool j!5j has neither ordinary implication, separating implication nor ordinary 
conjunction and only quite restricted use of quantifiers. Since proofs obtained from such 
tools are one target of our results, we argue that the restrictions imposed on assertions are 
not unreasonable in terms of usage. 

The starting point of our analysis is to realize that it is sufficient to study implications 
of the form: 

M N 

/\<Pi*ai,l*---*(H,Mi =^ V ^ * b 3' X * " ' * b 3' N i ( 4-1 ) 
i=\ j=l 

where </>j's and ^-'s do not contain assertion variables, and no assertion variables occur only 

on the right hand side of the implication. 

Lemma 4.1. There is an algorithm taking simple assertions ip,ip and returning finitely 
many implications {ip l =^ ip l }i£L, such that (a) if 1 =^> ip l has the form (I4.1D for all I G L, 
and (b) for any n € {1, 2} ; we have that ip \= n ip holds iff tp l \= n ip l holds for all I G L. 
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The algorithm in the lemma is given in Appendix iBl 

Thus, in this section, we will focus on lifting implications of the form (|4.ip . Specifically, 
we will give a complete answer to the following question: Given one such implication that is 
77-valid in the unary interpretation for some environment rj, can we decide if the implication 
is mvalid in the binary interpretation merely by inspection of the layout of the assertion 
variables? The answer will come in two parts. The first part, in Section [4.31 provides three 
lifting theorems, each of which has a criterion on the variable layout that, if met, implies 
that 77- validity may be lifted regardless of the tp^s and ipj's. The second part, in Section EL"4l 
is a completeness theorem; it states that if the variables fail the criteria of all three lifting 
theorems then there are choices of p^s and tp/s with no variables such that we have unary 
but not binary validity. 

This approach has pros and cons. Assume that we have an implication of the afore- 
mentioned form that is valid in the unary interpretation, and we would like to know if it 
is valid in the binary interpretation too. Trying out the layout of the variables against the 
criteria of the three lifting theorems is an easily decidable and purely syntactical process 
- and if it succeeds then we have binary validity. If it fails, however, we are at a loss; we 
know that there are (p^s and ipfs with the same variable layout such that lifting fails but 
we do not learn anything about our concrete implication. There is, however, an alternate 
use of the theory below if the lifting criteria fail; we will elaborate on that in Section El 

4.1. Notation. We need some notation that will accompany us throughout this section. 
Consider an implication of the form (|4.ip . Let V = Ui=i{ a i,ij • • • > a i,Mi} be the set of all left 
hand side assertion variables, these include the right hand side assertion variables too by 
assumption. Define II : {1, ... , M} — > Nat y and O : {1, . . . , N} -> Nat y by the following: 

noo(c) =' \{k 1 a hk = c}\, n(j)(c) = f \{k 1 b jtk = c}|. 

These functions give vectors of assertion variable counts for each conjunct and disjunct. 
For 1 < i < M and 1 < j < N we write Il(i) > if we have II(i)(c) > Q(j)(c) for each 
variable c G V, i.e., if conjunct i has the same or a greater number of occurrences of all 
variables than disjunct j. We write LI(i) ^ if this fails, i.e., if there is c G V such that 
LI(i)(c) < Cl(J)(c). If a conjunct, say conjunct i, has no variables, i.e., if n(£)(c) = holds 
for all c G V, then we say it is empty; the same goes for the disjuncts. 

We shall write — to denote 3n, m. w—tm, meaning heaps with at least one cell. On the 
semantic side, we write [m] for m G Poslnt to denote the heap that stores at location m 
and nothing else. For mo, ■■■,m n G Poslnt different we write [mo, ...,m n ] for [mo] • ... • [%]. 

Finally we introduce a piece of sanity-preserving graphical notation. We depict an 
implication of the form (|4.ip as a complete bipartite graph with the conjuncts lined up on 
the left hand side and the disjuncts on the right hand side. For any 1 < i < M and any 
1 < j < TV we draw a solid line from conjunct i to disjunct j if II(i) > 0(j). We label that 
line with all the c G V such that H(i)(c) > Q(j)(c) if indeed there are any such. If, on the 
other hand, H(i) £_ then we draw a dashed line instead and label it with all the c £F 
such that II(i)(c) < 0(j)(c). Note that the drawing of edges depend solely on the layout of 
the variables; the (piS and ^j's have no say in the matter. As an example, the implication 

l^->_Aa*6 1^_ * a V l"— )■_ * b, 
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which we shall look into in Example 14.91 is depicted as follows: 

• • l^->-_ * a 




a *b • • * b 



With a little experience, it is quite easy to check the conditions of the upcoming lifting 
theorems by looking at the corresponding graph; the graphs expose the structure of the 
assertions important to the proofs. 



4.2. Strategy. We give a brief strategic overview before the onslaught. Consider an im- 
plication of the form (14.ip . If the layout of the variables satisfy (at least) one of three 
upcoming criteria then we know this: unary //-validity holds only if it holds for 'obvious 
reasons'. The latter is captured precisely in the Parametricity Condition but, loosely, it 
says that there are 1 < i < M and 1 < j < N such that fa ==> t/jj is rj- valid in the unary 
interpretation and such that > This is sufficiently parametric in the treatment 

of assertion variables that it immediately implies binary //-validity and even n-ary //-validity 
for any n. 

The three criteria, as given in the next subsection, are rather technical; each is what it 
takes for proof idea of the corresponding lifting theorem to go through. They are complete, 
however: if the implication fails all three criteria then there are choices of (p^s and ipj's 
such that unary //-validity holds for 'non-obvious reasons'; in particular such that binary 
//-validity fails. Non-obvious reasons comes down to exploiting the limited arity in different 
ways; we elaborate on that in Subsection 14.41 



4.3. Layouts that Lift. The following is a first example of a layout of variables that ensure 
that for any choice of ip^s and ipj's we get that unary //-validity of the implication yields 
binary r/- validity. That it holds is a consequence of Theorem 14.51 but we have spelled out a 
concrete proof that will serve as a guide to the further development. 

Example 4.2 (Shadow-Lift). For any four assertions ipi, ¥>2>V'1jV'2 with no assertion vari- 
ables and any appropriate environment r\ we have that unary //-validity of the following 
implication implies binary zy-validity: 

if i * a * b tpi * a * b * b 




ip2 * a * b * b • — - — • tp2 * b * b 

Assume that we have unary rj- validity. Before we go on to consider the binary case we derive 
a simple unary consequence that does not involve assertion variables: For any h G Heap with 
subheaps h\ Q h and h,2 E h such that hi G [<£>i]^ and J12 £ [^2!^ we get that h% G [V'lJn 
or that h 2 G [^2]^- 

To prove this, let h, hi and /12 be as assumed. We build p : {a,b} — > IReli by letting 
p(a) = Heap and letting p(b) be the following union of sets of heaps: 

{(h - ht) ■ [n,n+ l]}f U {(h - h 2 ) ■ [n]} t U {[n + 1]^ 
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where n = max(dom(/i) U {0}) + 1. It is now immediate that h ■ [n,n + 1] lies in the 
interpretation of both conjuncts since 

hi ■ (h — hi) ■ [n, n + 1] = h ■ [n, n + 1] = hi ■ (h — hi) • [n] • [n + 1], 

and so by our assumption on the original implication it must lie in the interpretation on 
one of the disjuncts too. Suppose that we have 

h ■ [n, n + 1] G {ipi * a * b * bf n p = * p(b) * P Q>), 

where the equality holds because p(a) = Heap is the unit for *. We then write h- [n, n + 1] = 
9l " 92 • 93 for gi G {ip}^ and 52)53 G p(b)- But as 52 and 53 have disjoint domains we must 
have (h — /12) • [n] C 52 and [n + 1] C 53 or the version with 52 and 53 swapped. In any case 
we have that 

dom(3i) = dom(/i • [n,n+l]) \ (dom(g 2 ■ 53)) 

C dom(/i • [n, n+1]) \ (dom(/t— ^2) U {n, n+1}) 
= dom(/i 2 ). 

But then we have gi C /12 and since 51 G J^iji we get /i2 € {iplK too. If we have 
h ■ [n, n + 1] G [i/>2 * b * 6]i « we proceed similarly. 

The above short proof is the crux of the example. It implies unary r/-validity - this we 
knew already - but also the binary 77- validity. To see this, we pick an arbitrary environment 
p : {a, b} — > \Re\2, we take arbitrary (hi, hi) G [951 *a*b/\ip2*a*b* b}~ p and we aim to 
prove that (hi, ^2) G [^1 *a*b*b\/ip2*b* too. We split (hi, hi) according to the 
conjuncts. Because of Lemma [3.11 and the upward closedness condition of IReb, we can 
write 

(hi,hi) = (g 1 ,g i )-(gl,gl)-(gl,gl) 
for g 1 G [</3i]i, (gi,9i) G p(a) and ($,£%) G p(b). Also we can write 

(hi,hi) = (f\ f 1 ) ■ (fl fl) ■ (fl fi) ■ (ft, / 2 4 ) 

for f 1 G (fl fl) G p(a) and (ff, fi), (ff, / 2 4 ) G p(b). But now g 1 + f 1 with subheaps 

g 1 and / x meet the conditions of the unary consequence from above, and so we get f 1 G [^l]^ 
or f 1 G [V^ln and the second splitting of (hi, hi) shows that (hi, hi) lie in the binary 
interpretation of the first or second disjunct, respectively. Notice that neither g 1 G [V'l]^ 
nor g 1 G {ipiJl, would have worked since the first conjunct has too few variables, i.e., 

n(i) £ n(i) and n(i) ^ n(2) □ 

The simple idea justifies the odd choice of name: we attach to each occurrence of b in the 
conjuncts a 'shadow' in such a way that any two shadows from different conjuncts overlap. 
This means that the two occurrences of b in, say, the first disjunction must correspond to 
occurrences of b in the same conjunct; in particular that conjunct must have at least two 
occurrences. We attach no shadow to a, instead we remove a by instantiating to Heap; this 
is because the second disjunct lacks an occurrence of a and hence we may fail to 'peel off' 
the entire shadow. Had a occurred as the single label of a dashed line, this removal would 
have 'introduced' a solid line and the approach would fail. 

Generalizing the unary consequence that served as the crucial stepping stone in the 
above example we arrive at the following condition on our implications: 

Definition 4.3 (Parametricity Condition). Assume that we have an implication of the 
form (|4.ip and an appropriate environment 77. We say that the Parametricity Condition is 
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satisfied if, for all h,hi,..., hu £ Heap with hi Q h and hi G [</?j]i for all 1 < / < M, it is 
is the case that one (or both) of the following conditions hold: 

(1) There are 1 < i < M and 1 < j < N such that hi G {ip^ and II(i) > tt(j). 

(2) There is 1 < j < N such that h G {tpj}^ and the j-th disjunct is empty. 

Note that specializing the Parametricity Condition, henceforth just the PC, to an im- 
plication of the form treated in the above example yields the stated unary consequence 
because no disjuncts are empty. The second option in the PC will be motivated later. 

We emphasize that the PC may hold or may fail for any given combination of an 
implication and environment //. But if it holds then we have binary //-validity; the proof in 
case of the first option of the PC is an easy generalization of the latter half of the above 
example: 

Proposition 4.4. The PC implies binary rj-validity. 

We arrive now at the first lifting theorem. It is a generalization of the former half of 
Example 14. 2| the proof of the theorem has a lot more details to it than the example but 
the overall idea is the same. The theorem states a criterion on the layout of the variables 
that, if met, means that unary //- validity implies the PC and hence also binary rj- validity. 
The criterion is, loosely, that we can remove all variables that occur as labels of solid lines 
without introducing new solid lines and without emptying any disjuncts: 

Theorem 4.5 (Shadow-Lift). Unary n-validity of an implication implies the PC if each 
dashed line is labeled with at least one variable which is not a label on a solid line and each 
disjunct has an occurrence of a variable that is not a label on a solid line. Spelling it out in 
symbols, we require, with L = {(i,j) |l<i<MM<j< N}, that 

V(i,j)eL. U(i)^Q(j) =► 
3c G v. n(»)(c) < fi(j)( c ) A 
(v(fc,z) e l. n(fc) > n(i) n(fc)(c) = n(z)(c)) 

and 

VI < j < N. 3c G V. tt(j)(c) > A 

(V(m)gl. u(k)>n(i) =^ n(ife)(c) = n(i)(c)). 

As motivation for the next lifting theorem, we note that the variable layout criterion of 
the above theorem fails if one or more disjuncts are empty. Correspondingly, we never touch 
upon the second option of the PC. But there are variable layouts with empty disjuncts that 
ensure lifting: 

Example 4.6 (Balloon-Lift). For any four assertions ip\, <p2, ifti, 1^2 with no assertion vari- 
ables and any appropriate environment 77 we have that unary //-validity of the following 
implication implies binary //-validity: 

ipi * a • — — — • tpi * a * b 

a 

(f2 * a * b • • ip2 

a,b 

Assume unary //-validity. As in Example 14.21 we derive a unary consequence as an interme- 
diate result: For any h G Heap with subheaps h\ E h and /12 Q h such that hi G and 
^2 £ [¥>2]n we have that either h 2 G or h G [V^li • 




TWO FOR THE PRICE OF ONE: LIFTING SEPARATION LOGIC ASSERTIONS 



13 



To prove this, let h, hi and h 2 be as assumed. We construct p : {a, b} — > IReli by letting 
p(a) = Heap and p(b) = {h — h 2 }^. We get that 

h □ hi G [<^]i = * Heap = [99! * a}\ p , 

and 

h = h 2 - (h- h 2 ) 
e [^2]^ * = * Heap * = {(p 2 * a * bj^ p . 

This means that h must lie in the interpretation of one of the disjuncts. If it is the first, we 
inspect the interpretation and get that 

h = gi-gi-gz 
for gi G [V'lJ^) 52 G Heap and $3 □ h—h 2 . It means that 

dom(gi) = dom(/i) \ dom(g2 • 53) Q dom(/t) \ dom(g3) 
C dom(/i) \ dom(/i — h 2 ) = dom(h 2 ) 

which implies that g\ C /12 and so h 2 G [V'll^- Ifj 011 the other hand, h lies in the interpre- 
tation of the second disjunct then we are done immediately. 

Now we prove the claim of binary 77-validity. We pick an arbitrary environment p : 
{a, 6} — > \R&\ 2 , we take arbitrary (hi, h 2 ) E [</?! * a A ip 2 * a * 6] 2 iP and we must prove that 
(hi, h 2 ) G {tpx * a * b V too. We write 

(huh) = ( 9 \g 1 ) 
for G [</3i]^ and (gj,g 2 ) G p(a), and 

(hx,h 2 ) = (f\f 1 )-(flfi)-(flfi) 
for Z 1 G [^Ij, S p(a) and (/?,/£) G But now 5 1 + f 1 with subheaps 5 1 and 

f 1 satisfies the above properties and so we get f 1 G {tpi}^ or g 1 + f 1 G [V^]^- If Z 1 £ [V'l]]^ 
holds then the second splitting of (hi,h 2 ) shows that (hi,h 2 ) is in the interpretation of 
the first disjunct. If g 1 + f 1 G [V^]^, we are done too, since we may write (hi,h 2 ) = 
(g 1 + f 1 , g 1 + f 1 ) ■ (ei, e 2 ) for some (ei,e 2 ) G Heap 2 and so (hi,h 2 ) lies in the interpretation 
[^2 1 2 = ^(I^li) of the second conjunct. □ 

Once again, the underlying idea is simple: we attach 'shadows' to occurrences of vari- 
ables, but this time we stay within the the original heap. This is quite inhibitory as we 
may have to use the empty heap as shadow. Again we remove a variable (in general a set 
of variables) by instantiating to Heap but the remaining variable (in general the remaining 
set of variables) must satisfy quite restrictive demands. 

Just as we did for Example 14.21 we may generalize the former half of this example 
yielding Theorem 14. 71 below. The latter half of the example, on the other hand, constitutes 
an example of the approach of the proof of Proposition 14.41 in case we run into the second 
option of the PC. Note also that specializing the PC to an implication of the form considered 
in the example yields the stated unary consequence. 

Theorem 4.7 (Balloon-Lift). Unary n-validity of an implication implies the PC if there is 
a subset B C V with the following three properties. First, each conjunct has at most one 
occurrence of a variable from B, i.e., 

VI < i < M. J^n(i)(c) < 1. 

ceB 
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Second, each disjunct is empty or has exactly one occurrence of a variable from B, i.e., 

vi < j < n. m(c) = ovYl ^')( c ) = L 

cev ceB 

Third, each dashed line must have a label from B. That is, when L = | 1 < i < 
M A 1 < j < N}, 

V(i,j)€L. n(») t ^(J) n(i)(c) < 0(j)(c). 

One thing to note about the theorem is that if we have no empty disjuncts, none of the 
variables in the subset B C V can be labels of a solid line. In particular, the conditions of 
Theorem 14 . 5 1 are met, so the above theorem is really only useful if one or more disjuncts are 
empty. A simple but pleasing observation is that this theorem is applicable if all conjuncts 
and all disjuncts have at most a single occurrence of any assertion variable; in that case, 
we can just choose B = V above. 

The final lifting theorem captures the oddities of the special case of just one conjunct: 

Theorem 4.8 (Lonely-Lift). Unary n-validity of an implication implies the PC if there is 
just one conjunct, i.e., M=l, and all lines are solid, i.e., LI(1) > 0(j) for all l<j<N. 



4.4. Completeness. It is now time for examples of implications that do not lift, i.e., 
that are valid in the unary interpretation but not in the binary. The first is based on the 
following observation: If h G and h G p*q for h G Heap and p,q G IReli then we have 

h G [l^->-_]i *p or h G [l^->-_]^ *q. This is because we must have [1 i->- n] C h for some n G Int 
and so writing h = h\-h% with h\ G p and hi G q gives us [1 i— > n] C hi or [1 i— >• n] C li2- 
But this line of argument breaks down if we change to binary reading. We have, e.g., 
([1], [1]) G and ([1], [1]) G {([1], Q)}t * {([], [l])}t but both * {([1], Q)}t and 

* {([], [1])}' are empty. We can recast this as an implication that cannot be lifted: 

Example 4.9 (Fan-Counter). This implication is valid on the unary but not on the binary 
level: 

• • * a 




a *b • • * b 



First we argue that the implication holds on the unary level. Let p : {a, b} — > IReli be an 
arbitrary environment of upwards closed sets of heaps to a and b. Let h G Heap be arbitrary 
and assume that 

h e [l^_ A (a*6)]i = [MlnWa)*p(6)). 



\lri,p II- '-lip' 

By the above observation we get either h G * p(a) or h G * p(b) which 

matches the right hand side of the implication. 

Now we move on to prove that the implication fails on the binary level. Define 
an environment p : {a, b} — > IRe^ by p(a) = {([1],[])}^ and p(b) = {([], [1])} Then, 
[1^-- A a * b}r hp = {!•— >-} 2 ri, P n (p( a ) * which contains the pair ([1], [1]). But, as ob- 

served, both disjuncts have empty binary interpretations. □ 
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An observation of similar nature is that for p € I Rel i we have either p = Heap or 
P Q = {['7t |— m] | fn € Poslnt,n E Int}^ because if p 7^ Heap then it cannot contain 

the empty heap. On the binary level, however, we have Heap 2 7^ {([!]> 0)}"^ ^ [ — ]^ = 
{([mi->n], [mH»n]) | m € Poslnt,n £ Int}^. One consequence is this: 

Example 4.10 (Bridge-Counter). This implication is valid on the unary but not on the 
binary level: 

— * a * b — * a * a 

a 

a * a • — — - • — * — * b 

b 

First we argue that the implication holds on the unary level. Let p : {a,b} — >• IReli be an 
arbitrary environment that assigns upwards closed sets of heaps to each of the two variables. 
We branch on the value of p(o). If p(a) 7^ Heap then we have p(a) C [— ]i which again 
means that the first conjunct directly implies the second disjunct. If p(a) = Heap holds, we 
get that 

[-* a *&]!,„ = [-]i iP *Heap*p(&) = [-]!,,*/>(&) 
C l-j^p = l-ll P * Heap * Heap = [- * a * 0]^ 
because Heap is the unit for *. Hence we get that the first conjunct implies the first disjunct 
and we have proved that the implication holds unarily. 

Now we prove that the implication fails on the binary level. Define an environment 
p : {a,b} -»• IRel 2 by p(a) = {([1], Q)}t U {([2], [2])}1" and p(b) = Heap 2 . Observe now that 
([1,2], [2]) = ([2], [2]) • ([!],[]) • (0,0). which implies that ([1,2], [2]) G [- * a * b\l p . From 
the rewriting ([1,2], [2]) = ([1], []) • ([2], [2]), we get ([1,2], [2]) £ [a * a] 2 p too and so this 
pair of heaps lies in the interpretation of the left hand side. But it does not belong to 
the interpretation of either disjunct. An easy - if somewhat indirect - way of realizing 
this is to note that any pair of heaps in either [— ] 2 iP or in [a * a] 2 p must have a second 
component with nonempty domain. But then any pair of heaps in the interpretation of 
either disjunct must have a second component with a domain of at least two elements. In 
particular, neither can contain the pair ([1,2], [2]). □ 

In principle, the above two observations are all that we need to prove completeness. 
Or, phrased differently, assume that we have a layout of variables that fail the criteria of 
all three lifting theorems; by applying one of the two observations, we can then build a 
concrete implication with that variable layout and with unary but not binary validity. 

Having said that, the territory to cover is huge; the full completeness proof is a lengthy 
and rather technical journey, the details of which do not provide much insight. We supply 
it as a series of lemmas in Appendix [D] these include generalizations of Example 14.91 and 
Example 14.101 above. If one verifies the lemmas in the order listed and apply them as 
sketched then it is feasible, if not exactly easy, to prove the following: 

Theorem 4.11 (Completeness). If a variable layout meets none of the criteria in Theorems 
[7^[7j3 an ^E3 ^ en there are choices offi 's andipj 's with no variables such we have unary 
but not binary validity. 
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4.5. Future Work: Supported Assertions. By now, we have given a complete division 
of the possible layouts of variables into those that lift and those that do not. The divide is 
technical; without some understanding of the underlying proofs, it is hard to get an intuitive 
feel for it. 

One way to simplify would be to consider supported assertions. A n-ary relation 
r £ IRel n is supported if, for every f E Heap n , it holds that gi C f and g2 C f and 
gi i g2 & r together implies the existence of g G r with g C gi and g C g2 . In an intu- 
itionistic setting, the supported assertions play the role that the precise assertions do in a 
classical, non-intuitionistic setting: they validate reasoning about the resource invariant in 
the Hypothetical Frame Rule [25J and about shared resources in concurrent separation logic 
The problems we face here appear reminiscent and a natural question is this: how 
about restricting assertion variables to supported assertions? 

We have not investigated this in any detail, but initial findings suggest that this would 
simplify matters, maybe extensively so. The counter-example given in Example 14.91 still 
holds, so it is not the case that everything lifts, but the counter-example of Example 14.101 
breaks. The central proof of Theorem 14 . 5 1 uses non-supported assertions; on the other hand, 
if r £ IRel n is supported then either r * r is empty or we have r = Heap" - so maybe we could 
restrict to conjuncts with at most one occurrence of each assertion variable. 

Along the same lines, it would be interesting to revisit the challenges in a classical, 
non-intuitionistic setting. This, too, is left for future work with the one comment that the 
counter-example given in Example 14.91 persists. 



We saw in Proposition 14.41 that the PC implies binary 77- validity of an implication. It is 
easy to show that the PC also implies unary 77-validity, either directly or by observing that 
binary implies unary. A natural question to ask is whether we can reverse this. Example 14.91 
shows that unary validity does not entail the PC, because the latter fails for that concrete 
implication. But as binary validity fails too, we could hope that binary validity would 
enforce the PC. Unfortunately, this is not the demonstrated by the implication 



Here the PC is the same as for Example 14.91 and hence still is not true, but we do have 
binary validity. We do not, however, have ternary validity but the example could easily be 
scaled: having n occurrences of a in the second conjunct means n-ary but not n + 1-ary 
validity for any n > 1. In summary, we have seen that for any n > 1 we can have n-ary 
validity whilst the PC fails. 

What does hold, however, is the following: 

Theorem 5.1. For an implication of the form (|4.1h and an appropriate environment n we 
have that n-ary rj- validity implies the PC if n > max{2, Mi, . . . , Mm}- 

Notice how this fits nicely with the above example: with n occurrences of a we have 
n-ary validity but we need (n+l)-ary validity to prove the PC since there is also a single 
b. The proof is in Appendix [El and reuses techniques from the proofs of Theorems 14.51 and 



By an easy generalization of Proposition 14.41 we have the following corollary to the 
above theorem: 



5. Higher Arities and Parametricity 




1471 



TWO FOR THE PRICE OF ONE: LIFTING SEPARATION LOGIC ASSERTIONS 



17 



Corollary 5.2. The PC holds iff we have n-ary rj-validity for all n > 1. 

This corollary can be read, loosely, as a coincidence between parametric polymorphism 
as introduced by Strachey [31] and relational parametricity as proposed by Reynolds [30] : 
The PC corresponds to Strachey parametricity in the loose sense that if it holds, then there 
is an approach, parametric in the assertion variables, that produce right hand side proofs 
of heap membership from the left hand side ones: Take a heap, split it along the conjuncts, 
apply the PC to the parts in the interpretations of the </?'s and you are done, possibly 
after discarding some variables. This involves no branching or other intrinsic operations on 
the assertion variables, which we are free to discard by our intuitionistic setup. If, on the 
other hand, the implication is rj- valid for arbitrary arity, then it is fair to call it relationally 
parametric. Note also that the Examples 14.91 and 14.101 branch on assertion variable values. 

This result is analogous to the conjecture of coincidence between Strachey parametricity 
and n-ary relational parametricity for traditional type-based parametricity [29\ Page 2]. 

Finally we note that as a consequence of the above corollary we have that the lifting 
theorems in the previous section really show that unary validity can be lifted to validity 
of arbitrary arity. In some sense, they are stronger than required for representation in- 
dependence, for which binary validity suffices. The authors are unaware of any practical 
applications of this fact. 

6. Representation Independence 

In this section, we relate our lifting theorems to representation independence. We con- 
sider separation logic with assertion variables where the rule of consequence is restricted 
according to our lifting theorems, and we define a relational semantics of the logic, which 
gives a representation independence theorem: all proved clients cannot distinguish between 
appropriately related module implementations. 

To keep the presentation simple, we omit while-loops and allocation from the language. 
Adding the former together with the standard proof rule is straightforward. Allocation, 
however, is non-trivial: the notion of having one client using two modules will be hard- 
coded into our relational reading of the logic, and allocation on part of the client must give 
the same address when run with either module. This fails with standard, non-deterministic 
allocation; it was resolved earlier, however, by Birkedal and Yang |10] using a combination 
of FM sets and continuations and that approach is applicable here too. 

We consider commands C given by the grammar: 

C ::= k | [E]:=E | lety=[E]inC \C;C\ if BCC 

Here B is a heap-independent boolean expression, such as x=0. Commands C are from the 
loop-free simple imperative language. They can call module operations k, and manipulate 
heap cells; command [x]:=E assigns E to the heap cell x, and this assigned value is read 
by lety=[x] inC, which also binds y to the read value and runs C under this binding. 

Properties of commands C are specified using Hoare triples Y h {<p}C{ip}, where the 
context r is a set of triples for module operations. Figure 2] shows rules for proving these 
properties. In the figure, we omit contexts, if the same context T is used for all the triples. 

The rule of consequence deserves attention. Note that the rule uses semantic implica- 
tions |= 1 in the standard unary interpretation, thus allowing the use of existing theorem 
provers for separation logic. The rule does not allow all semantic implications, but only 
those that pass our algorithm Chk, so as to ensure that the implications can lift to the 
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Chk((//,v?) tff^tp Mew VhV Chk(^v') 



WW 



{(/? * ip}C{cp' * ^} {3x.tp}C{3x.ip} 



x^FV(C) 



r, M*#} h {£^_}[£]:=F{£^F} 
{3x.<^*£^x}letx=[£]inC'{V>} iscrvw 
MC;C"{V} Mif BCC'M 



Figure 4: Proof Rules 



relational level. Our algorithm Chk(^?, -0) performs two checks, and returns true only when 
both succeed. The first check is whether (p and ip can be transformed to simple assertions 
<p' and tp' , using only the distribution of * over 3x and V and distributive lattice laws for V 
and A. If this check succeeds and gives <p' and ifi' ', the algorithm transforms (p' ^ ip' to a 
set of implications of the form (14, lj) in Section [4] (Lemma 14. If) . Then, for each implication 
in the resulting set, it tests if any of the the three criteria for lifting are met and returns 
true if that is always the cas^E 

Commands C are interpreted in a standard way, as functions of the type: [CJ^u € 
Heap —7- (Heap U {err}). Here err denotes a memory error, and rj and u are environments 
that provide the meanings of, respectively, free ordinary variables and module operations. 
For instance, lk} VtU is u(k). 

Our semantics of triples, on the other hand, is not standard, and uses the binary 
interpretation of assertions: (rj, p, u) \= 2 {p}C{ip} iff 

VrGlRel 2 .V/, 5 GHeap. (/,j)6ft*r 

(PU(/),[C] w ( 5 ))e[C"' 

The environment p provides the meanings of assertion variables, and the 2-dimensional 
vector u gives the two meanings for module operations; intuitively, each m corresponds to 
the i-th module implementation. The interpretation means that if two module implemen- 
tations u are used by the same client C, then these combinations should result in the same 
computation, in the sense that they map 93-related input heaps to ^-related outputs. The 
satisfaction of triples can be extended to (77, p, u) \= 2 T, by asking that all triples in T should 
hold wrt. (77, p, u). Using these satisfaction relations on triples and contexts, we define the 
notion of 2-validity of judgements: T h {<p}C{ifj} is 2-valid iff 

Theorem 6.1. Every derivable T \- {<p}C {ip} is 2-valid. 

Recall that the failure of the lifting theorems do not imply that a concrete implication cannot be lifted; 
consider, e.g., Example 14.91 and replace l<—}_ with true everywhere. One can sidestep the general lifting 
theorems and (try to) verify directly the Parametricity Condition from Definition 14.31 for all environments 
rj. It is, however, a semantic condition and probably undecidable in general. 
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It is this theorem that we use to derive the representation independence results men- 
tioned in the introduction. Consider again the example in Figure [TJ Since the proof of the 
left hand side client C is derivable using the above rules in the context 

r = {l^-7-_}init{a}, {a}inc{a}, {a}nxt{6}, 

{6}dec{6},{6}fin{l^_}, 

we get 2-validity of V h {1^-t>_}C{1^_}. Instantiating, in the definition of 2-validity, p with 
the given coupling relations and u with the module implementations gives us 

(0,p,u) h 2 {1^-}C{1^.}, 

since we already know that the different operations respect the coupling relations. Therefore, 
when we run the client C with the related module implementations, we find that C maps 
[l^->_] 2 -related heaps (i.e, heaps with the same value at cell 1) to [!<—)• _] 2 -related heaps 
again. 

7. Conclusion and Discussion 

In this paper, we have given a sound and, in a certain sense, complete characterization 
of when semantic implications in separation logic with assertion variables can be lifted to 
a relational interpretation. This characterization has, then, been used to identify proofs 
of clients that respect the abstraction of module internals, specified by means of assertion 
variables, and to show representation independence for clients with such proofs. We hope 
that our results provide a solid semantic basis for recent logic-based approaches to data 
abstraction. 

In earlier work, Banerjee and Naumann [2] studied relational parametricity for dynam- 
ically allocated heap objects in a Java-like language. Later they extended their results to 
cover clients programs that are correct with respect to specifications following the "Boo- 
gie methodology" implemented in the Spec# verifier [Sid]. In both works, Banerjee and 
Naumann made use of a non-trivial semantic notion of confinement to describe internal 
resources of a module; here instead we use separation logic with assertions variables to 
describe which resources are internal to the module. 

Data abstraction and information hiding have been studied in logics and specification 
languages for pointer programs, other than separation logic. Good example projects are 
ESC-Modular-3 [20], ESC- Java [T7j and Spec# [5], some of which use concepts analogous to 
abstract predicates, called abstract variables [21]. It would be an interesting future direction 
to revisit the questions raised in the paper in the context of these logics and specification 
languages. 

Relational interpretations have also been used to give models of programming languages 
with local state, which can validate representation independence results pU EHJ El [Q . These 
results typically rely on the module allocating the private state, whereas we use the power 
of separation logic and allow the ownership transfer of states from client to module. For 
instance, in the two-stage counter in the introduction, the ownership of the cell 1 is trans- 
ferred from the client to the module upon calling init. Even with this ownership transfer, 
representation independence is guaranteed, because we consider only those clients having 
(good) proofs in separation logic. This contrasts with representation independence results 
in local state models, which consider not some but all well-typed clients. The work by 
Banerjee and Naumann [2] discussed above also permits ownership transfer. 
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Appendix A. Proofs of Lemma [2721 and Lemma I37T1 

Lemma 12.21 Function A n preserves the complete lattice structure and the * operator. 

Proof. From the definition, it is immediate that A n (Heap) = Heap™ and A n (0) = 0, the 
former because we have [] G Heap. Now consider a non-empty family {pi}i£i of predicates 
in I Reli . In order to show the preservation of the complete lattice structure, we need to 
prove that 

A n (f] Pi ) = f]A n ( Pi ) A \J A n ( Pi ) = A n (\J Pi ). 
iei iei iei iei 

The C direction in both cases is easy; it follows from the monotonicity of A n . 

We start with the Z> direction for the meet operator. Pick (hi, ■ ■ ■ , h n ) from f] ieI A n (pj). 
Then, 

Vi G I. (hi,...,h n ) G A n (pi). 
By the definition of A n , this means that 

Vi G /. 3fi G Pi . fi C hi A . . . A fi C hn. (A.l) 

Let / = Yliei fi- The sum here is well-defined, because (a) there are only finitely many /'s 
such that / fZ hf. for all 1 < k < n, and (b) any two such / and g should have the same 
value for every location in dom(/) n dom(<7). Since all /j's satisfy (jA.ip . their sum / also 
satisfies 

f Q hi A ... A / C h n . 

Furthermore, / G (~] i& jPi, because p^s are upward closed and / is an extension of fi in pi. 
Hence, A n (f] iGl pi) C f| i6J A n ( Pi ). 

Next we prove the Z) direction for the join operator. Pick (hi, . . . , h n ) from A n (\j i&I pi). 
Then, 

lie I. 3/ 6 J>i. / C hi A ... A / rz hn. 
Hence, by the definition of A n , 

(hi,...,h n ) G A n (pi) C (jA n (pj), 

iei 

as desired. 

Finally, it remains to show that A n preserves the * operator. Consider predicates 
p,q G I Reli . We need to prove that 

A n (p*q) = A n (p)*A n (q). 
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Choose an arbitrary (hi, . . . , h n ) from A n (p * q). By the definition of A n (p * q), it follows 
that 

3/ G p. 3g G q. (dom(/) n dom(g) = 0) A 

f A ... A f Qh n A 3 C hi A ... A 5 C /i n . 

Now, define fi = f and g% = hi — f for « € {1, . . . , re}. Then, 
(Vi G {1, . . . ,n}. U- 9i = hi) 
A (/i,...,/n) G A n (p) A (51, . . . , g n ) G A n (g). 

Hence, (hi, ... ,h n ) G A n (p) * A n (q). This shows that A n (p * q) C A n (p) * A n (q). For the 
other inclusion, suppose that 

(hi,...,h n ) G A n (p) * A n (g). 

Then, by the definition of *, 

3(/i,...,/ n ) e A n (p). 3( 5 i,..., 5n ) G A n (g). 
(Vi G {1, . . . ,n}. fi- gi = hi). 

Since (fi,..., f n ) G A n (p) and (gi, ... , G A n (q), there are / £p and 5 G q such that 

/ != /1 A ... A f Q f n A g Q gi A ... A gQg n . 

Furthermore, since /1 and g\ have disjoint domains, their subheaps / and g must have 
disjoint domains as well. Consequently, / • g is well defined, and it satisfies 

f ■ g ep*q A (V« G {1, . . . , re}. / • g C /i ■ ffi = 

This implies that (/ij, ... ,h n ) G A n (p * g), as desired. □ 

Lemma 13.11 For all <p and rj,p,p', if A n (p(a)) = p'(a) for every a G AVar, we have that 

Proof. We prove by induction on the structure of (p. All the inductive cases and the cases 
of true and false follow from the preservation result of Lemma 12.21 Thus, it is sufficient to 
show the lemma when ip = a or ip = P. When <p = a, the assumption of the lemma implies 
that 

A n ([< p ) = A n (p(a)) = p'(a) = [a]^,. 
When ip = P, we note that A n o Ai = A n , and conclude that 

A n ([P]J jP ) = A n (Ai((|PD^)) = A n ({Py = [P]",. 

□ 
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Appendix B. Proof of Lemma 14.11 

Lemma 14.11 There is an algorithm taking simple assertions cp, ip and returning finitely 
many implications {ip l ==> ip l }i£Lj such that (a) ip l ==> tp l has the form (j4. 1 j) and (b) for 
any n € {1, 2}, we have that \= n ip holds iff <~p l \= n ip holds for all I £ L. 

Proof. The algorithm first transforms tp in the conjunctive normal form, using proof rules 
in classical logic, which hold in all the ra-ary semantics. This gives an implication of the 
form: 

I J K L 

V A ^(m) * a (M) A V ^(*.o * h (k,iy 

i=lj=\ fc=li=l 
Then, the algorithm constructs the below set: 

I A <P{ij) * a (i>j) V ^(*,0 * V.O ) 

V J=1 ' =1 ) l<i<I,l<k<K 

Finally, it removes, in each implication, all the disjuncts that include assertion variables 
not appearing on the LHS of the implication; if all disjuncts are removed, false is the new 
RHS. The outcome of this removal becomes the result of the algorithm. Q 



Appendix C. Layouts that Lift 

Lemma C.l (Segregation). For any I,J>1 there are non-empty, finite segregating sub- 
sets Sl'j C Poslnt for all 1 < i < I and 1 < j < J with these properties: 

(1) Vl<ii,t2</. U; , /S^ U,,. ,S^. 

(2) VI < i < I. VI < ji + h < J. n = 0. 

(3) vi < h ± i 2 < i. vi < ji , j2 < J. sM n sM + 0. 

By 1 we define S 7 '" 7 = Ui<j< j f or an U 1 < * < I- 

Theorem 14.51 (Shadow- Lift). Unary n-validity of an implication implies the PC if each 
dashed line has a label that is not a label on a solid line and each disjunct has an occurrence 
of a variable that is not a label on a solid line. Spelling it out in symbols, we require, with 
L = {(i,j) \ 1 < i < M A 1 < j < N}, that 

v(i,j)£L. n(i)£fitf) =► 

3c e V. n(i)(c) < 0(j)(c) A 
(V(fc,Z) e L. n(Jfe) > O(0 =^ U(k)(c) = fi(Z)(c)) 

and 

VI < j < N. 3c G V. tt(j)(c) > A 

(v(k,i)eL. u(k)>n{i) =^ u(k)(c) = n(i)( c )). 
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Proof. Assume that we have an implication of the form (14. lj) in Section H] and an appropriate 
environment 77, that the stated criterion on the variable layout holds and that we have unary 
77-validity. We must show that the PC holds. 

According to Definition 14.31 we assume that we have heaps h, hi, . . . , hM G Heap with 
hi C h and hi G [^i]^ for all 1 < z < M. The core of the proof is the construction of 
a particular environment p : V — > \Re\\. For that purpose we need some notation. For a 
subset M C Poslnt we denote by [M] the heap that has domain M and stores some fixed 
value, say 0, at all these locations. Let C C V be the set of assertion variables that do not 
occur as labels on solid edges, i.e., for a c G V we have that c € C iff 

VI < i < M. VI < j < N. 

n(i) > n(»)(c) = n(i)(c). 

For each 1 < i < M we let Ki be the set of second indices of all variables in conjunct i that 
lie in C, i.e., we set Ki = {1 < k < Mi \ aj ^ E C}. If non-empty, we let ki = mm(Ki). 

We now define p(c) = Heap for c G V \ C. For a variable c G C we let /9(c) be the union 



of 



(J {(h- hi ).[S^ + L]. J] Kf + L]}' 



I < i < M, l<k<K, 
K z ^ 0, k i K t 



a i,k i 

and 



U 



NT + i], 



where we have used = max{Mi, . . . , Mm} and L = max(dom(/i) U {0}). For each 
1 < i < M we can write h ■ [S ' K + L] as the following product 

hi-ih-hi)- II ;s ; ^; A • /.;• n Ki' A ' + L ]' 

k&Ki l<k<K,k^Ki 

which implies that we have h- [S M,K + L] a member of \<pi * a^i * ■ ■ ■ * o^mJ^p- In summary, 
we have shown that h ■ [S M,K + L] lies in the unary interpretation of the left hand side in 
the environments 77 and p. By assumption, the same must hold for the right hand side and 
from this we aim to derive the PC. 

We now know that h ■ [S M,K + L] lies in the interpretation of some disjunct, say disjunct 
j. This means that 

h-[S M ' K + L]E^ j *b j ,i*---*b j , Nj J 1 v , P 

k£j 

where J = {1 < k < Nj \ bjj~ G C} is the set of second indices of variables of disjunct j 
that are in C. By the second assumption of the theorem we know that J 7^ 0. We write 

h.[S M ' K + L]=g-l[g k 

keJ 

for g G {ipjjlj and 5% G p(&j,fc) for each k G J. By the properties of segregating sets we get 
that there must be a common 1 < % < M such that for all k G J there is l k G Ki with 

[S M ; + L\ C g k , 
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i.e., the gk's are all 'from the same conjunct'. But this implies H(i)(c) > f2(j)(c) for all 
c € C as the segregating sets are non-empty. But then LT(i)(c) > Q(j)(c) must hold for 
c € V \ C too by the first assumption of the lemma and so > Also we must have 

Il(z)(c) = Q(j)(c) for each c € C by definition of C. By construction we have 



dom ( Yl 9k ) 5 dom(/t - U (S M '^ + L) 
VfceJ / 



But then dom(g) C hi and so we have hi £ [V'yln too and we have proved the first option 
of the PC. □ 

Theorem 14.71 (Balloon-Lift). Unary r]-validity of an implication implies the PC if there 
is a subset BCF with the following three properties. First, each conjunct has at most one 
occurrence of a variable from B, i.e., 

VI < i < M. J^II(»)(c) < 1. 

cG-B 

Second, each disjunct is empty or has exactly one occurrence of a variable from B, i.e., 

VI < j < n. ntf)(c) = o v Y, ^(i)( c ) = L 

c£V ceB 

Third, each dashed line must have a label from B. That is, when L = {(i,j) | 1 < i < 
M A 1 < j < N}, 

v(i,j)eL. n(») t nO') ^ n(i)( c ) < n(j)(c). 



Proof. Assume that we have an implication of the form (|4.ip in Section |4] and an appropriate 
environment 77, that the stated criterion on the variable layout holds and that we have unary 
7/-validity. We must show that the PC holds. 

According to Definition 14.31 we assume that we have heaps h, hi, . . . , hM £ Heap with 
hi E h and h{ € [</?i]i for all 1 < i < M. The core of the proof is the construction of a 
particular environment p : V — > I Rel 1 . We define p(c) = Heap for c £ V \ B. For a variable 
ceBwe let /o(c) be the following union 

U {h- hrf. 

l<i<M,l<k<Mi,a i:k =c 

For each 1 < i < M we can write /i = hi-(h-hi) and so we have h in * a^i * • • • * Oi,AfJ^ iP 
by the first of the original assumptions on the set B. In summary, we have shown that h 
lies in the unary interpretation of the left hand side in the environments 77 and p. By 
assumption, the same must hold for the right hand side and from this we aim to derive the 
PC. 

We now know that h lies in the interpretation of some disjunct, say disjunct j. If this 
disjunct is empty we have proved the second option of the PC. Otherwise we know that 
there is exactly one 1 < k < Nj such that bj k € B. But then we have 

h G Ify * b jtl b j)N .f v>p = {ipjJl * p(b jik ). 

We write 

h = g- Qk 
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for g G Itpjj^ and g k G p{bj,k)- There must 
such that U(i)(b jtk ) = n(j)(b j)k ) = 1. The 
H(i) > by the third assumption on B. 
PC. 



be an 1 < i < M such that g k □ h — hi and 
first gives hi G {ipjjjj and the second implies 
And we have arrived at the first option of the 

□ 



Appendix D. Completeness 

Lemma D.l (Fan-Counter). Suppose that the layout of variables is as follows. There are 
at least two conjuncts, i.e., M > 2, and one conjunct has the property that each variable 
occurring in the conjunct also occurs as a label of a solid line leaving the conjunct and 
ending in a non-empty disjunct. In symbols the latter is 

31 < i < M. Vc G V. n(z)(c) > => 

3i < j < n. n(i) > n(j) a n(*)(c) > n(j)( c ) a 
3d g v. n(j)(d) > o. 

Then there are choices of ip-i 's and ipj 's with no variables such that the implication holds on 
the unary level but not on the binary level. 

In the search for counterexamples we may without loss of generality assume the negation 
of the conditions of the above lemma. This means, provided at least two conjuncts, that 
for any non-empty set of solid lines leaving one common conjunct and ending in non-empty 
disjuncts there is a variable that occurs in the conjunct but is not a label of either of the 
lines. If, loosely phrased, we invalidate that variable, then all the solid lines break down, 
i.e., become dashed. 

Lemma D.2 (X-Counter). Suppose that the layout of variables is as follows. There are 
two distinct conjuncts i$ and i\ and two distinct non-empty disjuncts jo and j\ such that 
II(io) ^ ^(io) while Tl(io) > Q(ji), n(ii) > Q(jo) and > Then there are 

choices of (fi 's and ipj 's that the implication holds on the unary level but not on the binary 
level. 

Again we may without loss of generality assume that the negation of this lemma holds 
when building counterexamples. Picture the graph of the implication without empty dis- 
juncts and without dashed lines. The negation of the above means that we may arrive at all 
vertices in the connected component containing some vertex by paths from that vertex of 
length 2 or less. Also all connected components are complete, in particular no two vertices 
with a dashed line between them can belong to the same component. 

Lemma D.3 (Bridge-Counter). Suppose that the layout of variables is as follows. There 
are at least two conjuncts, i.e., M > 2, all disjuncts are non-empty and there is a dashed 
line with labels that all occur as labels on solid lines too. In symbols the last demand is 

31 < i < M. 31 < j < N. U(i) £ A 

Vc G v. n(»)(c) < n(j)(c) 

31 < k < M. 31 < I < N. 

u{k) > n(i)AU(k)(c) > n(0(c). 

Then there are choices of ip-i 's and ipj 's with no variables such that the implication holds on 
the unary level but not on the binary level. 
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This lemma deals with the case of a variable layout with at least two conjuncts and no 
empty disjuncts but where the first condition of Theorem 14.51 fails. 

Lemma D.4 (All-Out-Counter). Suppose that the layout of variables is as follows. There 
are at least two conjuncts, i.e., M > 2, at least one non-empty disjunct and for each variable 
one of the following two holds: Either the variable occurs as a label on a solid line ending 
in a non-empty disjunct. Or it occurs at least twice in a conjunct and we have an empty 
disjunct. In symbols the variable condition is 

Vc 6 V. (31 < i < M. 31 < j < N. U(i) > A 

n(0( c ) > n(j){c) A3d£V. n(j)(d) > o) v 

(31 < % < M. U(i)(c) > 2 A 

3i < j < n. yd e v. n(j)(d) = o). 

Then there are choices of ipi 's and ipj 's ipi 's and ipj 's with no variables such that the impli- 
cation holds on the unary level but not on the binary level. 

This lemma deals with two cases. The first is the case of a variable layout with at least 
two conjuncts and no empty disjuncts but where the second condition of Theorem 14.51 fails 
while the first holds. The second is the case of a variable layout with at least two conjuncts, 
at least one empty disjunct and no dashed lines for which Theorem 14.71 fails. 

Appendix E. Higher Arities and Parametricity 

Theorem 15.11 For an implication of the form (14. If) and an appropriate environment ij we 
have that n-ary rj- validity implies the PC if n > max{2, Mi, . . . , Mm}- 

Proof. Assume that we have an implication of the form (14. lj) in Section |4] and an appropriate 
environment ry, that n > max{2, Mi, . . . , Mm} and that we have n-ary ^-validity. We must 
show that the PC holds. 

According to Definition 14.31 we assume that we have heaps h, hi, . . . , Km € Heap with 
hi C h and hi € [^j]^ for all 1 < i < M. The core of the proof is the construction of a 
particular environment p : V — > IRel n . For that purpose we need some notation. Define, for 
each 1 < k < n, a map 7& : Heap — > Heap™ by letting 

k— 1 n—k 

for any h £ Heap, i.e., it returns the ra-tuple that has h as the k-th entry and the empty 
heap everywhere else. Similarly, we define 5 : Heap — > Heap™ by setting 

n 

5(h) = (h~^~h) 

for any h 6 Heap, i.e., it returns the n-tuple that has h as all entries. For a subset M C Poslnt 
we denote by [M] the heap that has domain M and stores some fixed value, say 0, at all 
these locations. 

For a variable c (zV we now define p(c) to be the following union of relations in IRGl n : 

lj H(*-fc)-Ti([s#* + 

l<i<M,l<fc<Mi,a ( i ifc) =c 
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where K = max{Mi, . . . , Mm}, L = max(dom(/i)). This is well-defined because of our 
assumption that n > max{Mi, . . . , Mm}- For each 1 < i < M we have that 

6(h) = 6 (hi) • 7i (h -hi) j n (h - hi) 

□ 6 (hi) • 7i (h -hi) lMi(h- hi) 

where we use the extension order for heap tuples defined by pointwise extension in all 
entries. Also, we have that 

[S M > K + L] = [S% K + L) [Sf/ + L] 

^Kf + L] [S^f + L]. 

This gives us that 5(h) ■ 7i([S M,jR " + L]) extends the following n-tuple of heaps: 

S(hi)- [J n(h-h i )- 7l {[S% K + L]) 

l<k<Mi 

which again means that 5(h) ■ ji([S M,K + L]) lies in 

{ifi * a it i * • • • * a^Mij^p- 

In summary, we have shown that 5(h) ■ 71 ([S M '^" + L\) lies in the n-ary interpretation of 
the left hand side in the environments r] and p. By assumption, the same must hold for the 
right hand side and from this we aim to derive the PC. 
There is 1 < j < N such that we have 

6(h) ■ 7 i([S M <* + L]) € tyj * b hl * ... * b hNj \l p . 

Consider first the case of a non-empty disjunct, i.e., the case Nj > 0. We split along the 
disjunct and get 

5(h). 71 ([S M ^ + L]) = 5(g) gi g Nj 

for g G \4>j\\ and g& G p(bj,k) for all 1 < k < Nj. By the properties of segregating sets 
we get that there must be a common 1 < i < M such that for all 1 < k < Nj there is 
1 <k k < Mi with 

lkk (h- hi) ■MiS^ + L])Cg fe , 

i.e., the gfc's are all 'from the same conjunct'. But this implies U(i) > ft(j) as the segregating 
sets are non-empty. Also the above equality enforces dom(g) C dom(/i) by the definition of 
71. Indeed we must have dom(<7) C dom(/ij) since in particular we have 

llk (h-h t ). 7l ([S^ + L])Q gl . 

But then g C hi so we have hi G [V'ilr; too and the first option of the PC holds. 

We consider now the case of an empty disjunct, i.e., the case Nj = 0. As above we split 
along the disjunct and get 

5(/ l ). 7 i([S M ^ + L]) = %).g 

for g € [p0j]n and g <G Heap™. Again we must have dom(g) C dom(/i) which implies g C h 
and the second option of the PC holds. □ 
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Appendix F. Proof of Theorem 16.11 



Theorem 16.11 Every derivable T\- {(p}C{ip} is 2-valid. 

Proof. We will show that all the rules in Figure 0] are sound. This lets us prove the theorem 
by induction on the height of the derivation of a judgment, because using the soundness of 
the rules, we can handle all the base and inductive cases. 

Let's start with the rule for the module operation k. Suppose that we have (77, p, u) \= 2 
(r, {ip}k{tp}). Then, by the definition of \= 2 , we should have (r],p, u) \= 2 {tp}k{ip} as well. 
From this follows the soundness of the rule. 

Next, consider four rules: (a) the frame rule for adding — * </> to the pre and post- 
conditions, (b) the rule for adding 3x to the pre and post-conditions, (c) the rule for 
sequencing, and (d) the rule for the conditional statement. All these rules are sound, 
because of the following four facts: 

(r,,p,u) N 2 MCV} 

=>■ to p. u ) N 2 W * i>}cy * ^} 

(*0FV(C)) A (rj,p,u) H 2 MC{V} 
(r,,p,u) N 2 {3x.<p}C{3x.^} 

(r,,p,n) \=* W}CW'} A (r/,p,u) ^ WW 
( V ,p,u) h 2 MC;C'W 

(r,,p,u) h 2 W/\B}C{4>} A 
( V ,p,u) ^ 2 {ipA^B}C'{rl>} 

=^ (rj,p,u) ^ 2 {<p}i{BCC>m 

The first fact is an easy consequence of using the quantification over IRel2 in the semantics 
of triples. The second also follows easily from the semantics of triples and the fact that 
= [Clr^H.u],^ for all v £ Int, as long as one remembers that the * operator distributes 
over union. The third and fourth are not different, and they follow from the semantics of 
triples and commands. Here we will go through the details of proving the fourth fact. 
Consider (77, p, u) satisfying the assumption of the fact. Pick r G IRel2 and heaps /, g such 
that 

Now we do the case analysis on whether {BJ V is true or not. If it is true, then 

(/,<?) G &AB}l p *r 
A [if BCC% )U1 (f) = lC} V)U1 (f) 
A {if BCC%, U2 (g) = lC} v , U2 (g). 
Hence, by assumption, we get that 

({if BCC\ Ul (f), lifBCC\ U2 (g)) 

= ([CW/), lc} v , U2 (g)) e M 2 , P *r. 

If \B\ri is not true, we reason similarly, but with C' instead of C, and get that 



({it BCC% tUl (f), [if BCC% >U2 (g)) G ml 



p *r. 
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We have just shown that in both cases, the outcomes of the conditional statements are 
related by * r -> as claimed by the fourth fact. 

We move on to the rules for heap update and dereference. They are sound because of 
the below two facts: 

( V ,p,u) ^ 2 {E^.}[E]:=F{E^F} 

x0FV(VO A (7/, p, u) \= 2 {ip * E^x}C{ip} 

==>• (77, p, u) \= 2 {Bx.p* E^x}\et x=[E] inC{^} 

To prove the first, we pick (r),p, u), a relation r € IRe^ and heaps /, g such that 

(f,g) G {E^_]l p *r. 

Then, there exist heaps h, fi,gi such that 

(f,g) = (h,h)-(f 1 ,g 1 ) A {Ej v G dom(h) A (/ ll?1 )er. 

Thus, 

as desired by the first fact. For the proof of the second fact, suppose that the assumption 
of the second fact holds, and pick r G I Rel2 and heaps /, g such that 

(f,g) G [3x. ip * E^xjl p * r. 

Then, there exists an integer v and heaps h, fi,gi, fz, 52 such that 

(f,g) = (h,h)-(f 1 ,g 1 )-(h,g 2 ) A /» G {E^xf^^ 

A (/i,ffi)eM; M , p A (/ 2 ,52)Gr 

Thus, G [99 * E^xf v[x ^ vU * r, and /([£],,) = g(lE} v ) = v. Using these and the 

assumed triple of the second fact, we derive the below: 

( [let x=[E] in Cj v , Ul (/), [let x=[E] in Cj v , U2 (g) ) 

= {IClrilx^vlmif), iC} v [x^v],u 2 (9)) 

= Ml P *r. 

The last equality holds, because x does not appear in 92. We have just proved that the 
output states of two dereferencing commands are ([V'ljL, * r)-related, as claimed by the 
second fact. 

Finally, we prove that the rule of consequence is sound. It is sufficient to show that 
Chk(v?', (p) A ip' (= x if A 

Chk(v>,V) a ^\=^' a ( w ,u)h 2 MCW 

From the first four conjuncts of the assumption, it follows that 

<p> ^ 2 y A v N 2 



TWO FOR THE PRICE OF ONE: LIFTING SEPARATION LOGIC ASSERTIONS 



31 



This is due to the correctness of Chk, which holds because all the transformations used in 
the first check of Chk are based on semantic equivalences holding in IReb and the second 
lifting check is sound because of our lifting theorems. In order to prove the conclusion of 
the above implication, pick r G IRe^ and heaps f,g such that 

if, 9) e W\l P * r- 
Since the * operator is monotone and ip' \= 2 ip, we get that 

if, 9) e M 2 v , P *r. 

This relationship and the assumed triple {p}C{ip}, then, imply the below: 

(icw/), \c\ v ,uM) e mi„*r. 

Again, since ip \= 2 ip', the monotonicity of the * operator implies that 

([CW/), lC} v ,uM) e WM P *r. 
Note that this is the conclusion that we are looking for. □ 
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